Hello Silvio, First of all, great idea and nice script! Two small things: - The ssh port is fixed as TCP port 12500. Since 12500 >1024 this is a non-priviledged port which is a security risk. Ports < 1024 can only be opened (here: state LISTEN) by root, others by everyone. If a user manages to crash your sshd then they can start their own service at that port. Even though ssh has protection against MitM by means of key fingerprints the attacker can at least keep you from starting sshd by blocking that port (not ideal on a remote server). - You test a Debian release version to see whether to use /usr/sbin/iptables-nft or /usr/sbin/iptables . More portable and more simple would be to test for -x /usr/sbin/iptables-nft . Best wishes, NTS On Tue, 11 Feb 2020 at 14:26, Genes Lists via arch-general <arch-general@archlinux.org> wrote:
Hi Silvio
One general comment - your script uses the iptables command for each rule - this is extremely inefficient. This is probably not a big deal in your case but I'll mention it anyway.
Far better way is to output the firewall in the same format as iptables-save uses, then simply use iptaples-restore to load the firewall rules - this reads the entire set of rules and ask the kernel to install them all in one shot. This is essentially just dropping the '$IPT' part for each rule plus a slightly different way to define chains and set the default policies.
One way to see the format is simply to use iptables-save on existing firewall. This is the format used by iptables to save / restore rules.
best
gene